US5504810A - Telecommunications fraud detection scheme - Google Patents

Telecommunications fraud detection scheme Download PDF

Info

Publication number
US5504810A
US5504810A US08/125,467 US12546793A US5504810A US 5504810 A US5504810 A US 5504810A US 12546793 A US12546793 A US 12546793A US 5504810 A US5504810 A US 5504810A
Authority
US
United States
Prior art keywords
call
echo
telephone call
telephone
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US08/125,467
Inventor
Bruce E. McNair
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Corp
Original Assignee
AT&T Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AT&T Corp filed Critical AT&T Corp
Priority to US08/125,467 priority Critical patent/US5504810A/en
Assigned to AMERICAN TELEPHONE AND TELEGRAPH COMPANY reassignment AMERICAN TELEPHONE AND TELEGRAPH COMPANY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCNAIR, BRUCE E.
Assigned to AT&T CORP. reassignment AT&T CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AMERICAN TELELPHONE AND TELEGRAPH COMPANY
Assigned to AT&T IPM CORP. reassignment AT&T IPM CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AT&T CORP.
Application granted granted Critical
Publication of US5504810A publication Critical patent/US5504810A/en
Assigned to CREDIT SUISSE AG reassignment CREDIT SUISSE AG SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ALCATEL-LUCENT USA INC.
Anticipated expiration legal-status Critical
Assigned to ALCATEL-LUCENT USA INC. reassignment ALCATEL-LUCENT USA INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/47Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/2281Call monitoring, e.g. for law enforcement purposes; Call tracing; Detection or prevention of malicious calls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/36Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/38Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/01Details of billing arrangements
    • H04M2215/0148Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/002Applications of echo suppressors or cancellers in telephonic connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • H04M3/42314Systems providing special services or facilities to subscribers in private branch exchanges

Definitions

  • This invention relates generally to detecting and controlling unauthorized use of telecommunications networks.
  • PBX private branch exchange
  • Remote access is useful, for example, for allowing a salesperson traveling outside company premises to place calls through the subscriber's PBX to take advantage of volume discount rates. Though useful and convenient, this remote access capability may present a security risk to the subscriber by inadvertently providing an opportunity for unauthorized users to gain access to the network.
  • Current methods for detecting and preventing unauthorized remote access to a communications network typically involve analyzing traffic patterns on the network. For example, one technique involves analyzing the average call duration or the number of calls placed to foreign countries to determine whether the traffic patterns are consistent with a subscriber's call history or call pattern profile. In the event that a call is inconsistent with the subscriber's call pattern profile, the subscriber is provided with a report of the abnormal call activity. Other methods for dealing with the problem of unauthorized use involve automatically denying or blocking access to the network when abnormal use is detected so as to minimize the subscriber's financial loss.
  • Systems which use these techniques may annoy valid users of the network whose authorized calls are blocked inadvertently. Also, systems which automatically deny access encourage "hackers" seeking access to the network to try other authorization codes or points of entry to the network. Such systems do not provide a means for identifying security weaknesses within the network to permit improvement or correction.
  • Quadrature domain reflectometry techniques refers to using echo reflections within the path of a telephone call to generate information about distances between equipment in the call path. Echo data are collected for the telephone call from a predetermined point in the network to a point where the call originated. The data are either processed to generate an indication of whether the telephone call comprises multiple legs or are compared with call attribute data to determine whether the telephone call is most likely valid or most likely fraudulent. In this manner, those telephone calls most susceptible to unauthorized use, such as remote access calls placed through a PBX, are readily identified.
  • the indication that a telephone call comprises multiple legs is advantageously used together with call attribute information, such as whether the call is placed to an international destination, to determine whether a given multiple-leg call is most likely a valid access to the communication system or most likely fraudulent.
  • call attribute information such as whether the call is placed to an international destination
  • the determination that a given call is a multiple-leg (e.g., remote access) call, together with selected call pattern information characteristic of a particular subscriber (such as the subscriber's average call duration or that the subscriber typically does not place international calls using the remote access capability) provide an indication that the call does not fit the subscriber's call pattern profile.
  • selected call pattern information characteristic of a particular subscriber such as the subscriber's average call duration or that the subscriber typically does not place international calls using the remote access capability
  • appropriate steps are taken to minimize costs for unauthorized network use. For example, the subscriber is notified or the call is interrupted, and particular security weaknesses within the subscriber's network or PBX software are identified.
  • FIG. 1 is a simplified block diagram of a conventional communications network
  • FIG. 2 is a simplified block diagram of a portion of a communications network constructed in accordance with the principles of the invention
  • FIG. 3 is a graph of an illustrative echo plot of the network of FIG. 2;
  • FIG. 4 is a simplified block diagram of an exemplary embodiment of the fraud detection hardware of FIG. 2;
  • FIG. 5 shows an exemplary embodiment of the lookup table of FIG. 4.
  • Remote access capability allows a subscriber to make telephone calls through the subscriber's facilities from locations remote to the subscriber's facilities so as to minimize telecommunications costs.
  • Remote access capabilities may render a subscriber's facilities susceptible to unauthorized use, because the same authorization code that gives the subscriber access to the facilities can be misused by unauthorized users to illegally gain access to those facilities.
  • FIG. 1 shows a communications network which includes three private branch exchanges (PBXs) 100, 102, and 104, telephone stations 106, 108, 110, and 112, central offices 114 and 116, and an international gateway switch 118 which is configured to switch calls to an international destination (not shown).
  • PBXs 100, 102, and 104 are configured to provide remote access capability.
  • the subscriber i.e., one of the subscriber's salespersons
  • PBX 100 then initiates a second call, which originates at the PBX, to telephone station 110.
  • PBX 100 next bridges the first and second calls (which are also referred to as the first and second "legs" of the bridged call) to permit the subscriber at telephone station 108 to talk to the domestic customer at telephone station 110. Because the second leg of the call originates at PBX 100, the subscriber can make toll-free calls from remote locations which are billed as if made from the subscriber's premises, typically at a volume discount rate.
  • PBX 100 typically will be configured to permit the subscriber to place outbound international calls. For example, calls from telephone station 106, which is connected directly to PBX 100, can be placed to international destinations through international gateway switch 118. It is this international dialing capability which often is the target of unauthorized users.
  • an unauthorized user placing calls from telephone station 112 can use the remote access capability of PBX 100 to place international calls through international gateway switch 118 while charging the cost of the call to the subscriber.
  • This type of fraud can be difficult to detect, because the subscriber often cannot distinguish between (1) authorized international calls placed from telephone station 106, (2) authorized international calls placed from telephone station 108 using the remote access capability of PBX 100, and (3) unauthorized, fraudulent international calls placed from telephone station 112 using the remote access capability of PBX 100.
  • FIG. 1 shows a second example of how an unauthorized user at telephone station 112 can place calls to an international destination.
  • the call is placed through more than one PBX, so as to further obscure the unauthorized user's identity.
  • a call placed from telephone station 112 can use the remote access capability of a first PBX 102 to dial up the remote access capability of a second PBX, namely, PBX 104.
  • the remote access capability of PBX 104 is then used to place an international call through international gateway switch 118.
  • Prior art fraud detection techniques are ill-equipped to handle this type of fraudulent call.
  • Echo data are collected for the telephone call from a predetermined point in the network to a point where the call originated. As described below, the data are processed to generate an indication of whether the telephone call comprises multiple legs, thus identifying those calls most susceptible to unauthorized use. Information about the number of legs of a given call is processed together with other information about the call to determine whether the call most likely resulted from a valid access to the communication system or is most likely fraudulent.
  • information about the echo path for a particular call is used to determine whether the call has multiple legs (e.g., whether the call is a remote access call placed through a PBX).
  • the existence of multiple legs within a call often will be sufficient, in itself, to indicate that a particular call is most likely fraudulent.
  • a more reliable indication can be obtained, however, by analyzing the determination that a given call is a multiple-leg call together with selected attributes of the call. For example, a multiple-leg call placed to a country notorious for drug trafficking can be flagged as a call that is most likely fraudulent.
  • the determination that a given call is a multiple-leg call can be analyzed together with a subscriber's call pattern information. For example, the subscriber's average call duration, or an indication that the subscriber typically does not place international calls using the remote access capability of the subscriber's PBX, can be compared with data obtained from the call to provide an indication that the call does not fit the subscriber's call pattern profile. When the existence of fraud is indicated, appropriate steps are taken to minimize costs for unauthorized network use. For example, the subscriber is notified or the call is interrupted. Moreover, particular security weaknesses within the subscriber's network or PBX software can be readily identified.
  • FIG. 2 shows an exemplary call path in a communication network constructed in accordance with the invention.
  • the call path includes a PBX 200, an international gateway switch 202, a telephone station 204, central offices 206, 208, and 210, a signaling network 211, an echo canceller 212, fraud detection hardware 214, and a fraud management center 216.
  • the call path may include other switches, such as interexchange carrier switches, which are not shown.
  • Central offices 206, 208, and 210 illustratively are 5ESS® switches manufactured by American Telephone & Brass Co., Inc. (AT&T).
  • International gateway switch 202 illustratively is a 4ESSTM switch manufactured by AT&T.
  • Echo canceller 212 is a conventional echo canceller that is used to minimize echo for all calls switched through international gateway switch 202. As described below, fraud detection hardware 214 and fraud management center 216 perform the processing required to determine whether a particular call has multiple legs and whether that call is most likely valid or most likely fraudulent.
  • PBX 200 is configured to permit outbound international calling and to provide remote access capability. Calls placed from telephone station 204 to an international destination using the remote access capability of PBX 200 have two legs. The first leg comprises a call originating from telephone station 204 and terminating at PBX 200. The first leg is switched through central offices 206 and 208. The second leg comprises a call which originates from PBX 200 and is routed through international gateway switch 202 to terminate at the international destination. The second leg is routed through central office 210, echo canceller 212, and international gateway switch 202. When the two legs are established, PBX 200 bridges the two legs into a single, multiple-leg call which is said to "originate" at telephone station 204.
  • the connections between telephone station 204 and central office 206, and between PBX 200 and central offices 208 and 210 are 2-wire connections.
  • the connections between central offices 206 and 208 and between central office 210 and echo canceller 212 are 4-wire connections.
  • the conversion between 2wire and 4-wire connections are performed by circuits commonly referred to as "hybrids.” Because the hybrids cannot be balanced perfectly, some echo will be introduced at the hybrids. As described in greater detail below, the present invention advantageously uses the echo produced at the hybrids to determine the number of legs in a telephone call.
  • echo canceller 212 will send a probe signal through the network to determine the echo characteristics of the network. Echo canceller 212 sends the probe signal in a conventional manner to explicitly determine the bulk delay, so that the echo canceller can build a model of the echo path for the call. Echo data generated by the probe signal also is provided to fraud detection hardware 214 for processing in accordance with the invention.
  • the probe signal from echo canceller 212 is directed through the network to telephone station 204, generating significant echo peaks at those points in the network where the probe signal encounters imperfectly balanced hybrids. Each echo peak indicates a different leg of the call. These echo peaks return to echo canceller 212 and are advantageously used to determine the number of legs in the call.
  • FIG. 3 shows an exemplary plot of echo magnitude versus time for the path from echo canceller 212 to telephone station 204.
  • the path length of the first leg of the call (extending between telephone station 204 and PBX 200) is 500 miles and that the path length of the second leg of the call (extending between PBX 200 and echo canceller 212) is 1,000 miles.
  • Central office 206 and central offices 208 and 210 are assumed to be a negligible distance from telephone station 204 and PBX 200, respectively. Because an echo travels at approximately the speed of light, a delay of 2/186 seconds will appear per 1,000 miles along the transmission path.
  • FIG. 3 shows a first echo peak after 2/186 seconds, the peak indicating the presence of the hybrids which perform the 2-wire to 4-wire conversions for PBX 200 (i.e., the second leg of the call).
  • FIG. 3 also shows a second, smaller echo peak at 3/186 seconds, indicating the presence of the hybrids in central office 206 (i.e., in the first leg of the call).
  • the two peaks may correspond to echoes occurring respectively at 1000 miles and 1025 miles from fraud detection hardware 214.
  • the probe signal output by echo canceller 212 will generate three or more echo peaks. A different peak will appear for each PBX, together with a peak for the hybrid associated with the originating telephone station.
  • fraud detection hardware 214 can be configured to automatically interrupt the call because it is unlikely that an authorized user of the communications network would place an international call through two PBX systems.
  • echo canceller 212 outputs the echo signals generated by the probe signal to fraud detection hardware 214 which processes the echoes in accordance with the invention.
  • Fraud detection hardware 214 processes the echoes, for example, by first filtering the echoes to identify echo peaks which exceed a predetermined threshold magnitude, and then counting the echo peaks which exceed the threshold.
  • FIG. 4 shows an exemplary embodiment of fraud detection hardware 214.
  • Fraud detection hardware 214 includes an input/output (I/O) device 400, a central processing unit (CPU) 402, a digital signal processor 404, a lookup table 406 for converting a caller's automatic number identifier (ANI) to a distance value, and a shared memory device 408.
  • Digital signal processor 404 illustratively is a model DSP 16 manufactured by AT&T.
  • Lookup table 406 illustratively is an ANI-to-vertical/horizontal map (see FIG. 5).
  • Fraud detection hardware 214 operates as follows.
  • CPU 402 instructs digital signal processor 404 to probe the telephone channel for echo data. Echo samples from the channel are routed by CPU 402 from I/O device 400 to shared memory 408.
  • CPU 402 next instructs digital signal processor 404 to compute the echo delays (alternatively CPU 402 receives an indication from digital signal processor 404 of the number of echo peaks detected).
  • CPU 402 compares the echo delay computed by digital signal processor 404 with delay data (retrieved from lookup table 406) for calls placed from the caller's ANI.
  • the computed (actual) echo delay will be the delay associated with the call path to telephone station 204.
  • the ANI used to retrieve echo delay data from lookup table 406 will be that of the PBX rather than that of telephone station 204. If the computed delay and the delay from lookup table 406 differ by more than a predetermined amount that corresponds to an acceptable margin of error, indicating that the call originated from somewhere other than the ANI used in lookup table 406, CPU 402 outputs an alerting signal to fraud management center 216.
  • the alerting signal generated by fraud detection hardware 214 illustratively specifies the trunk number of the trunk carrying the call and several call parameters.
  • the call parameters may include the originating ANI (e.g., the ANI of PBX 200), the destination telephone number, the number of echo peaks, and the distance from fraud detection hardware 214 of the equipment which generated the echo peaks.
  • FIG. 5 shows an exemplary ANI-to-vertical/horizontal map 500 suitable as lookup table 406.
  • the map includes three columns 502, 504, and 506.
  • Column 502 stores a list of Numbering Plan Areas (NPA) and exchanges found throughout the telephone system.
  • Column 504 stores a list of corresponding latitude and longitude coordinates.
  • Column 506 stores a list of the respective distances (in miles) between fraud detection hardware 214 and each of the latitude/longitude coordinate pairs. The distance from a point in the network to a latitude and longitude coordinate can be calculated as described in ARRL Antenna Book, 14th Ed., American Radio Relay League, Newington, Conn. 1984, Ch. 16, which is hereby incorporated by reference.
  • Fraud detection hardware 214 and fraud management center 216 are configured to take predetermined steps once it is determined that a given call comprises multiple legs.
  • fraud detection hardware 214 can be configured to generate an alerting signal for all international calls made using remote access.
  • Fraud management center 216 can alert the subscriber of possible unauthorized access upon receipt of each alerting signal, or can be configured to perform further analysis for all multiple-leg calls using information obtained through signaling network 211 or derived from the call billing record.
  • fraud management center 216 can be configured to examine the average call duration or the country code of the international destination. (The information to perform analyses involving subscriber average call duration may be obtained by the subscriber and maintained in a database by fraud management center 216). If the call duration exceeds the subscriber's average call duration, or the call is placed to a country which is particularly suspect for telephone fraud, fraud management center 216 flags the call for further action, such as the attention of an attendant.
  • fraud management center 216 determines that a call is suspect and generates an indication to that effect, various steps which are well known in the prior art can be taken to minimize present and future losses for the subscriber. For example, fraud management center 216 may be configured to automatically notify the subscriber (either in real-time or at some convenient, predetermined interval) or automatically terminate the call.
  • fraud detection hardware 214 and fraud management center 216 can provide information useful in identifying the location of the PBX used for remote access to the network. For example, fraud detection hardware 214 provides the ANI of the PBX and its distance from fraud detection hardware 214. Where more than one PBX is involved, fraud detection hardware 214 provides the ANI of the PBX nearest in the call path to echo canceller 212 and the distance between this nearest PBX and any other PBXs in the call path. Fraud management center 216 also enables several different subscribers to cooperate to detect fraud in those instances where multiple PBX systems owned by different subscribers are involved.
  • fraud detection hardware 214 compares the delay value measured using the probe signal with a known delay value for a given call (based on the point of origination of the call) to determine whether a call has multiple legs.
  • Fraud detection hardware 214 can be provided with the ANI of the telephone originating the international call, which in the case of FIG. 2 is the ANI of PBX 200.
  • Fraud detection hardware 214 uses the ANI to determine the distance between PBX 200 and echo canceller 212, for example, by accessing a lookup table. (The distances between most land-based system components are known.)
  • Fraud detection hardware 214 then compares the experimentally-determined delay value with the known delay value. If the two values are equal, the call has only one leg. However, if the experimentally-determined delay value exceeds the known delay value, the call must have originated at a point further from echo canceller 212 (i.e., at telephone station 204) than PBX 200, thus indicating a multiple-leg call.
  • fraud detection hardware 214 compares the detected echo characteristics of the path of a telephone call with data representing attributes of the telephone call to determine whether the echo characteristics of the path are consistent with the call attributes.
  • fraud detection hardware 214 may be configured to determine the approximate distance between itself and to the point where the call originated, and compare that distance with the country code identifying the country in which the call originated. If the country code and the distance are inconsistent, fraud detection hardware 214 generates an indication that the access request is most likely fraudulent.
  • the invention has been described in the context of unauthorized calls placed to international destinations, one skilled in the art will appreciate that the principles of the invention are equally applicable to detecting unauthorized calls to domestic destinations. Similarly, the invention is not limited to fraud detection for calls involving the remote access capability of PBXs. Rather, the invention is readily applicable to any type of intermediate switching point. For example, the quasi-time domain reflectometry techniques of the invention are suitable for detecting fraud in "network-based" PBXs that are used in applications such as AT&T's EasyReach® 700 telecommunications service. The invention is applicable to any type of enhanced service involving multiple-leg calls.
  • Data transmissions are analyzed by first computing the autocorrelation of the transmitted signal.
  • the autocorrelation function is processed to identify peaks, in a manner analogous to the techniques described above for identifying echo peaks. Peaks in the autocorrelation function correspond to echo peaks in a voice transmission, and are used in accordance with the teachings of the invention to identify multiple-leg calls.

Abstract

Methods and apparatus are disclosed for providing increased security in a telecommunications network by using quasi-time domain reflectometry techniques to identify those telephone calls which comprise multiple legs. Echo data are collected for the telephone call from a predetermined point in the network to a point where the call originated. The data are processed to generate an indication of whether the telephone call comprises multiple legs, thus identifying those calls most susceptible to unauthorized use. The indication that a telephone call comprises multiple legs is advantageously used together with call attribute information, such as whether the call is placed to an international destination, to determine whether a given multiple-leg call is most likely a valid access to the communication system or most likely fraudulent.

Description

FIELD OF THE INVENTION
This invention relates generally to detecting and controlling unauthorized use of telecommunications networks.
BACKGROUND OF THE INVENTION
There are currently many situations in which telecommunications networks are used by individuals without authorization. Unauthorized network use places a large financial burden on the entity which owns the network or pays for use of the network. The risk of loss due to unauthorized use is particularly acute in those networks which allow access to the network remotely, for example, through the use of an authorization code and a toll-free ("800") telephone number. The authorization code is used to gain access to a private branch exchange (PBX) which provides "remote access" capabilities--the ability to access private network facilities from off-network locations--to a network customer or PBX owner (collectively referred to as a "subscriber"). Remote access is useful, for example, for allowing a salesperson traveling outside company premises to place calls through the subscriber's PBX to take advantage of volume discount rates. Though useful and convenient, this remote access capability may present a security risk to the subscriber by inadvertently providing an opportunity for unauthorized users to gain access to the network.
Current methods for detecting and preventing unauthorized remote access to a communications network typically involve analyzing traffic patterns on the network. For example, one technique involves analyzing the average call duration or the number of calls placed to foreign countries to determine whether the traffic patterns are consistent with a subscriber's call history or call pattern profile. In the event that a call is inconsistent with the subscriber's call pattern profile, the subscriber is provided with a report of the abnormal call activity. Other methods for dealing with the problem of unauthorized use involve automatically denying or blocking access to the network when abnormal use is detected so as to minimize the subscriber's financial loss.
Systems which use these techniques may annoy valid users of the network whose authorized calls are blocked inadvertently. Also, systems which automatically deny access encourage "hackers" seeking access to the network to try other authorization codes or points of entry to the network. Such systems do not provide a means for identifying security weaknesses within the network to permit improvement or correction.
SUMMARY OF THE INVENTION
Increased network security is provided in accordance with the invention by using quasi-time domain reflectometry techniques to identify those telephone calls which are most likely fraudulent. As used herein, "quasi-time domain reflectometry techniques" refers to using echo reflections within the path of a telephone call to generate information about distances between equipment in the call path. Echo data are collected for the telephone call from a predetermined point in the network to a point where the call originated. The data are either processed to generate an indication of whether the telephone call comprises multiple legs or are compared with call attribute data to determine whether the telephone call is most likely valid or most likely fraudulent. In this manner, those telephone calls most susceptible to unauthorized use, such as remote access calls placed through a PBX, are readily identified.
In an exemplary embodiment of the invention, the indication that a telephone call comprises multiple legs is advantageously used together with call attribute information, such as whether the call is placed to an international destination, to determine whether a given multiple-leg call is most likely a valid access to the communication system or most likely fraudulent. Similarly, the determination that a given call is a multiple-leg (e.g., remote access) call, together with selected call pattern information characteristic of a particular subscriber (such as the subscriber's average call duration or that the subscriber typically does not place international calls using the remote access capability) provide an indication that the call does not fit the subscriber's call pattern profile. In such cases, appropriate steps are taken to minimize costs for unauthorized network use. For example, the subscriber is notified or the call is interrupted, and particular security weaknesses within the subscriber's network or PBX software are identified.
BRIEF DESCRIPTION OF THE DRAWINGS
In the drawings:
FIG. 1 is a simplified block diagram of a conventional communications network;
FIG. 2 is a simplified block diagram of a portion of a communications network constructed in accordance with the principles of the invention;
FIG. 3 is a graph of an illustrative echo plot of the network of FIG. 2;
FIG. 4 is a simplified block diagram of an exemplary embodiment of the fraud detection hardware of FIG. 2; and
FIG. 5 shows an exemplary embodiment of the lookup table of FIG. 4.
DETAILED DESCRIPTION
Before describing the implementation details and novel features of the present invention, it will be useful for illustration purposes to describe an exemplary communications network configured to provide remote access capability. Remote access capability, as described above, allows a subscriber to make telephone calls through the subscriber's facilities from locations remote to the subscriber's facilities so as to minimize telecommunications costs. Remote access capabilities, however, may render a subscriber's facilities susceptible to unauthorized use, because the same authorization code that gives the subscriber access to the facilities can be misused by unauthorized users to illegally gain access to those facilities.
FIG. 1 shows a communications network which includes three private branch exchanges (PBXs) 100, 102, and 104, telephone stations 106, 108, 110, and 112, central offices 114 and 116, and an international gateway switch 118 which is configured to switch calls to an international destination (not shown). The network also includes additional central offices and interexchange carrier switches which have been omitted from the figure for clarity. PBXs 100, 102, and 104 are configured to provide remote access capability.
The subscriber (i.e., one of the subscriber's salespersons) can use the remote access capabilities of PBX 100 to place remote access telephone calls from telephone station 108 to the subscriber's domestic customer at telephone station 110, for example, by dialing an 800 number to access PBX 100. PBX 100 then initiates a second call, which originates at the PBX, to telephone station 110. PBX 100 next bridges the first and second calls (which are also referred to as the first and second "legs" of the bridged call) to permit the subscriber at telephone station 108 to talk to the domestic customer at telephone station 110. Because the second leg of the call originates at PBX 100, the subscriber can make toll-free calls from remote locations which are billed as if made from the subscriber's premises, typically at a volume discount rate.
PBX 100 typically will be configured to permit the subscriber to place outbound international calls. For example, calls from telephone station 106, which is connected directly to PBX 100, can be placed to international destinations through international gateway switch 118. It is this international dialing capability which often is the target of unauthorized users.
In particular, an unauthorized user placing calls from telephone station 112 can use the remote access capability of PBX 100 to place international calls through international gateway switch 118 while charging the cost of the call to the subscriber. This type of fraud can be difficult to detect, because the subscriber often cannot distinguish between (1) authorized international calls placed from telephone station 106, (2) authorized international calls placed from telephone station 108 using the remote access capability of PBX 100, and (3) unauthorized, fraudulent international calls placed from telephone station 112 using the remote access capability of PBX 100.
FIG. 1 shows a second example of how an unauthorized user at telephone station 112 can place calls to an international destination. In particular, the call is placed through more than one PBX, so as to further obscure the unauthorized user's identity. For example, a call placed from telephone station 112 can use the remote access capability of a first PBX 102 to dial up the remote access capability of a second PBX, namely, PBX 104. The remote access capability of PBX 104 is then used to place an international call through international gateway switch 118. Prior art fraud detection techniques are ill-equipped to handle this type of fraudulent call.
Multiple-leg calls (including calls placed through two or more PBXs) are distinguished from single leg calls, in accordance with the present invention, using quasi-time domain reflectometry techniques. Echo data are collected for the telephone call from a predetermined point in the network to a point where the call originated. As described below, the data are processed to generate an indication of whether the telephone call comprises multiple legs, thus identifying those calls most susceptible to unauthorized use. Information about the number of legs of a given call is processed together with other information about the call to determine whether the call most likely resulted from a valid access to the communication system or is most likely fraudulent.
More particularly, information about the echo path for a particular call, such as the echo return loss (i.e., the echo delay time) or the number of echo peaks occurring over the echo path, is used to determine whether the call has multiple legs (e.g., whether the call is a remote access call placed through a PBX). The existence of multiple legs within a call often will be sufficient, in itself, to indicate that a particular call is most likely fraudulent. A more reliable indication can be obtained, however, by analyzing the determination that a given call is a multiple-leg call together with selected attributes of the call. For example, a multiple-leg call placed to a country notorious for drug trafficking can be flagged as a call that is most likely fraudulent. Alternatively, the determination that a given call is a multiple-leg call can be analyzed together with a subscriber's call pattern information. For example, the subscriber's average call duration, or an indication that the subscriber typically does not place international calls using the remote access capability of the subscriber's PBX, can be compared with data obtained from the call to provide an indication that the call does not fit the subscriber's call pattern profile. When the existence of fraud is indicated, appropriate steps are taken to minimize costs for unauthorized network use. For example, the subscriber is notified or the call is interrupted. Moreover, particular security weaknesses within the subscriber's network or PBX software can be readily identified.
FIG. 2 shows an exemplary call path in a communication network constructed in accordance with the invention. The call path includes a PBX 200, an international gateway switch 202, a telephone station 204, central offices 206, 208, and 210, a signaling network 211, an echo canceller 212, fraud detection hardware 214, and a fraud management center 216. (The call path may include other switches, such as interexchange carrier switches, which are not shown.) Central offices 206, 208, and 210 illustratively are 5ESS® switches manufactured by American Telephone & Telegraph Co., Inc. (AT&T). International gateway switch 202 illustratively is a 4ESS™ switch manufactured by AT&T. Echo canceller 212 is a conventional echo canceller that is used to minimize echo for all calls switched through international gateway switch 202. As described below, fraud detection hardware 214 and fraud management center 216 perform the processing required to determine whether a particular call has multiple legs and whether that call is most likely valid or most likely fraudulent.
PBX 200 is configured to permit outbound international calling and to provide remote access capability. Calls placed from telephone station 204 to an international destination using the remote access capability of PBX 200 have two legs. The first leg comprises a call originating from telephone station 204 and terminating at PBX 200. The first leg is switched through central offices 206 and 208. The second leg comprises a call which originates from PBX 200 and is routed through international gateway switch 202 to terminate at the international destination. The second leg is routed through central office 210, echo canceller 212, and international gateway switch 202. When the two legs are established, PBX 200 bridges the two legs into a single, multiple-leg call which is said to "originate" at telephone station 204.
As shown in FIG. 2, several components of the communication network are interconnected using 2-wire connections, while other components are interconnected using 4-wire connections. In particular, the connections between telephone station 204 and central office 206, and between PBX 200 and central offices 208 and 210 are 2-wire connections. The connections between central offices 206 and 208 and between central office 210 and echo canceller 212 are 4-wire connections. The conversion between 2wire and 4-wire connections are performed by circuits commonly referred to as "hybrids." Because the hybrids cannot be balanced perfectly, some echo will be introduced at the hybrids. As described in greater detail below, the present invention advantageously uses the echo produced at the hybrids to determine the number of legs in a telephone call.
During the setup of a typical call switched through international gateway switch 202, echo canceller 212 will send a probe signal through the network to determine the echo characteristics of the network. Echo canceller 212 sends the probe signal in a conventional manner to explicitly determine the bulk delay, so that the echo canceller can build a model of the echo path for the call. Echo data generated by the probe signal also is provided to fraud detection hardware 214 for processing in accordance with the invention. The probe signal from echo canceller 212 is directed through the network to telephone station 204, generating significant echo peaks at those points in the network where the probe signal encounters imperfectly balanced hybrids. Each echo peak indicates a different leg of the call. These echo peaks return to echo canceller 212 and are advantageously used to determine the number of legs in the call.
In the network of FIG. 2, the probe signal output by echo canceller 212 will create two echo peaks which are separated by a time delay. FIG. 3 shows an exemplary plot of echo magnitude versus time for the path from echo canceller 212 to telephone station 204. Assume that the path length of the first leg of the call (extending between telephone station 204 and PBX 200) is 500 miles and that the path length of the second leg of the call (extending between PBX 200 and echo canceller 212) is 1,000 miles. Central office 206 and central offices 208 and 210 are assumed to be a negligible distance from telephone station 204 and PBX 200, respectively. Because an echo travels at approximately the speed of light, a delay of 2/186 seconds will appear per 1,000 miles along the transmission path. (The delay is 2/186 seconds rather than 1/186 seconds because the echo must traverse a 2000 mile round trip.) Thus, FIG. 3 shows a first echo peak after 2/186 seconds, the peak indicating the presence of the hybrids which perform the 2-wire to 4-wire conversions for PBX 200 (i.e., the second leg of the call). FIG. 3 also shows a second, smaller echo peak at 3/186 seconds, indicating the presence of the hybrids in central office 206 (i.e., in the first leg of the call).
Occasionally, network conditions will cause two echo peaks to be generated which are separated in time by a small delay. For example, the two peaks may correspond to echoes occurring respectively at 1000 miles and 1025 miles from fraud detection hardware 214. In such a case, it may be desirable to compare the delay between the echo peaks with a predetermined minimum threshold level to prevent noise or acceptable network configurations (e.g., a PBX with an extension) from creating erroneous indications of fraudulent activity. If the delay between the peaks does not exceed the threshold level, the indication of multiple echo peaks is dismissed as resulting from noise or an acceptable network configuration not indicative of fraudulent activity.
Where a call is placed through several PBXs, for example, using the remote access capability of two or more PBXs as shown in FIG. 1, the probe signal output by echo canceller 212 will generate three or more echo peaks. A different peak will appear for each PBX, together with a peak for the hybrid associated with the originating telephone station. In this instance, fraud detection hardware 214 can be configured to automatically interrupt the call because it is unlikely that an authorized user of the communications network would place an international call through two PBX systems.
Referring again to FIG. 2, echo canceller 212 outputs the echo signals generated by the probe signal to fraud detection hardware 214 which processes the echoes in accordance with the invention. Fraud detection hardware 214 processes the echoes, for example, by first filtering the echoes to identify echo peaks which exceed a predetermined threshold magnitude, and then counting the echo peaks which exceed the threshold.
FIG. 4 shows an exemplary embodiment of fraud detection hardware 214. Fraud detection hardware 214 includes an input/output (I/O) device 400, a central processing unit (CPU) 402, a digital signal processor 404, a lookup table 406 for converting a caller's automatic number identifier (ANI) to a distance value, and a shared memory device 408. Digital signal processor 404 illustratively is a model DSP 16 manufactured by AT&T. Lookup table 406 illustratively is an ANI-to-vertical/horizontal map (see FIG. 5).
Fraud detection hardware 214 operates as follows. CPU 402 instructs digital signal processor 404 to probe the telephone channel for echo data. Echo samples from the channel are routed by CPU 402 from I/O device 400 to shared memory 408. CPU 402 next instructs digital signal processor 404 to compute the echo delays (alternatively CPU 402 receives an indication from digital signal processor 404 of the number of echo peaks detected). CPU 402 then compares the echo delay computed by digital signal processor 404 with delay data (retrieved from lookup table 406) for calls placed from the caller's ANI. The computed (actual) echo delay will be the delay associated with the call path to telephone station 204. If the call is multiple-leg call placed through a PBX, the ANI used to retrieve echo delay data from lookup table 406 will be that of the PBX rather than that of telephone station 204. If the computed delay and the delay from lookup table 406 differ by more than a predetermined amount that corresponds to an acceptable margin of error, indicating that the call originated from somewhere other than the ANI used in lookup table 406, CPU 402 outputs an alerting signal to fraud management center 216.
The alerting signal generated by fraud detection hardware 214 illustratively specifies the trunk number of the trunk carrying the call and several call parameters. The call parameters may include the originating ANI (e.g., the ANI of PBX 200), the destination telephone number, the number of echo peaks, and the distance from fraud detection hardware 214 of the equipment which generated the echo peaks.
FIG. 5 shows an exemplary ANI-to-vertical/horizontal map 500 suitable as lookup table 406. The map includes three columns 502, 504, and 506. Column 502 stores a list of Numbering Plan Areas (NPA) and exchanges found throughout the telephone system. Column 504 stores a list of corresponding latitude and longitude coordinates. Column 506 stores a list of the respective distances (in miles) between fraud detection hardware 214 and each of the latitude/longitude coordinate pairs. The distance from a point in the network to a latitude and longitude coordinate can be calculated as described in ARRL Antenna Book, 14th Ed., American Radio Relay League, Newington, Conn. 1984, Ch. 16, which is hereby incorporated by reference.
Fraud detection hardware 214 and fraud management center 216 are configured to take predetermined steps once it is determined that a given call comprises multiple legs. For example, fraud detection hardware 214 can be configured to generate an alerting signal for all international calls made using remote access. Fraud management center 216 can alert the subscriber of possible unauthorized access upon receipt of each alerting signal, or can be configured to perform further analysis for all multiple-leg calls using information obtained through signaling network 211 or derived from the call billing record. For example, upon detecting a multiple-leg call, fraud management center 216 can be configured to examine the average call duration or the country code of the international destination. (The information to perform analyses involving subscriber average call duration may be obtained by the subscriber and maintained in a database by fraud management center 216). If the call duration exceeds the subscriber's average call duration, or the call is placed to a country which is particularly suspect for telephone fraud, fraud management center 216 flags the call for further action, such as the attention of an attendant.
Once fraud management center 216 determines that a call is suspect and generates an indication to that effect, various steps which are well known in the prior art can be taken to minimize present and future losses for the subscriber. For example, fraud management center 216 may be configured to automatically notify the subscriber (either in real-time or at some convenient, predetermined interval) or automatically terminate the call.
Unlike prior art fraud detection systems, fraud detection hardware 214 and fraud management center 216 can provide information useful in identifying the location of the PBX used for remote access to the network. For example, fraud detection hardware 214 provides the ANI of the PBX and its distance from fraud detection hardware 214. Where more than one PBX is involved, fraud detection hardware 214 provides the ANI of the PBX nearest in the call path to echo canceller 212 and the distance between this nearest PBX and any other PBXs in the call path. Fraud management center 216 also enables several different subscribers to cooperate to detect fraud in those instances where multiple PBX systems owned by different subscribers are involved.
In another exemplary embodiment of the invention, fraud detection hardware 214 compares the delay value measured using the probe signal with a known delay value for a given call (based on the point of origination of the call) to determine whether a call has multiple legs. Fraud detection hardware 214 can be provided with the ANI of the telephone originating the international call, which in the case of FIG. 2 is the ANI of PBX 200. Fraud detection hardware 214 uses the ANI to determine the distance between PBX 200 and echo canceller 212, for example, by accessing a lookup table. (The distances between most land-based system components are known.) Fraud detection hardware 214 then compares the experimentally-determined delay value with the known delay value. If the two values are equal, the call has only one leg. However, if the experimentally-determined delay value exceeds the known delay value, the call must have originated at a point further from echo canceller 212 (i.e., at telephone station 204) than PBX 200, thus indicating a multiple-leg call.
In still another exemplary embodiment of the invention, fraud detection hardware 214 compares the detected echo characteristics of the path of a telephone call with data representing attributes of the telephone call to determine whether the echo characteristics of the path are consistent with the call attributes. For example, fraud detection hardware 214 may be configured to determine the approximate distance between itself and to the point where the call originated, and compare that distance with the country code identifying the country in which the call originated. If the country code and the distance are inconsistent, fraud detection hardware 214 generates an indication that the access request is most likely fraudulent.
Although the invention has been described in the context of unauthorized calls placed to international destinations, one skilled in the art will appreciate that the principles of the invention are equally applicable to detecting unauthorized calls to domestic destinations. Similarly, the invention is not limited to fraud detection for calls involving the remote access capability of PBXs. Rather, the invention is readily applicable to any type of intermediate switching point. For example, the quasi-time domain reflectometry techniques of the invention are suitable for detecting fraud in "network-based" PBXs that are used in applications such as AT&T's EasyReach® 700 telecommunications service. The invention is applicable to any type of enhanced service involving multiple-leg calls.
Although the invention has been described in the context of voice communications, the principles of the invention also are applicable to data communications. Data transmissions are analyzed by first computing the autocorrelation of the transmitted signal. The autocorrelation function is processed to identify peaks, in a manner analogous to the techniques described above for identifying echo peaks. Peaks in the autocorrelation function correspond to echo peaks in a voice transmission, and are used in accordance with the teachings of the invention to identify multiple-leg calls.

Claims (10)

I claim:
1. A method comprising the steps of:
analyzing echo characteristics of a path of a telephone call to determine whether the telephone call is a multiple-leg call;
collecting data representing attributes of the telephone call when the echo characteristics indicate that the telephone call is a multiple-leg call; and
processing the data to generate an indication of whether the telephone call was established fraudulently.
2. The method of claim 1 wherein the processing step comprises determining whether the condition of at least one call attribute indicates that the telephone call was established fraudulently.
3. The method of claim 1 wherein the analyzing step comprises the steps of:
generating echo data for the telephone call from a predetermined point in the network to a point where the call originated; and
responding to the echo data to generate an indication of whether the telephone call comprises multiple legs.
4. The method of claim 3 wherein the responding step comprises:
filtering the echo data to identify echo peaks; and
generating an indication that the telephone call is a multiple-leg call if there are at least two identified echo peaks.
5. The method of claim 3 wherein the responding step comprises:
determining from the echo data the echo return loss between the predetermined point and the point where the call originated; and
comparing the determined echo return loss with an expected echo return loss for the telephone call; and
generating an indication that the telephone call is a multiple-leg call if the determined echo return loss exceeds the expected echo return loss by more than a predetermined amount.
6. The method of claim 3 wherein the responding step comprises:
determining from the echo data the approximate distance between the predetermined point and the point where the call originated; and
comparing the determined distance with an expected distance for the telephone call; and
generating an indication that the telephone call is a multiple-leg call if the determined distance exceeds the expected distance by more than a predetermined amount.
7. The method of claim 1 wherein the step of processing call attribute data comprises determining whether the call is placed to a country which belongs to a predetermined group of high-fraud countries.
8. A method comprising the steps of:
detecting the echo characteristics of the path of a telephone call;
collecting data representing attributes of the telephone call;
determining whether the collected data and the echo characteristics of the path are consistent with each other; and
generating an indication that the telephone call was established fraudulently when the collected data and the characteristics of the path are inconsistent with each other.
9. The method of claim 8 wherein the detecting step comprises determining the approximate distance between a predetermined point in the path and a point where the call originated.
10. The method of claim 9 wherein the determining step comprises comparing said distance with a country code which identifies a country from which the telephone call originated.
US08/125,467 1993-09-22 1993-09-22 Telecommunications fraud detection scheme Expired - Lifetime US5504810A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US08/125,467 US5504810A (en) 1993-09-22 1993-09-22 Telecommunications fraud detection scheme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US08/125,467 US5504810A (en) 1993-09-22 1993-09-22 Telecommunications fraud detection scheme

Publications (1)

Publication Number Publication Date
US5504810A true US5504810A (en) 1996-04-02

Family

ID=22419849

Family Applications (1)

Application Number Title Priority Date Filing Date
US08/125,467 Expired - Lifetime US5504810A (en) 1993-09-22 1993-09-22 Telecommunications fraud detection scheme

Country Status (1)

Country Link
US (1) US5504810A (en)

Cited By (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997032289A1 (en) * 1996-02-29 1997-09-04 Motorola Inc. Method for detecting fraudulent use of a communication system
US5668856A (en) * 1994-08-05 1997-09-16 Kokusai Denshin Denwa Kabushiki Kaisha Method and system for screening calls directed to an international telephone operator
US5724404A (en) * 1995-07-03 1998-03-03 Garcia; Max Integrated international telephone circuit monitoring system
US5949864A (en) * 1997-05-08 1999-09-07 Cox; Neil B. Fraud prevention apparatus and method for performing policing functions for telephone services
US5956717A (en) * 1996-10-07 1999-09-21 Kraay; Thomas A. Database origami
US6005941A (en) * 1996-05-24 1999-12-21 Oki Electric Method and apparatus for providing optional service functions in a private branch exchange
US6141406A (en) * 1997-03-27 2000-10-31 T-Netix, Inc. Method and apparatus for detecting a secondary destination of a telephone call based on changes in the telephone signal path
US6157707A (en) * 1998-04-03 2000-12-05 Lucent Technologies Inc. Automated and selective intervention in transaction-based networks
US6163604A (en) * 1998-04-03 2000-12-19 Lucent Technologies Automated fraud management in transaction-based networks
US6327352B1 (en) 1997-02-24 2001-12-04 Ameritech Corporation System and method for real-time fraud detection within a telecommunications system
US20020031210A1 (en) * 1998-11-17 2002-03-14 Onelink, Inc. System and method for reporting and delivering calls
US20020173292A1 (en) * 1992-03-24 2002-11-21 Atcomm Corporation Call security system
WO2002100080A1 (en) * 2001-06-06 2002-12-12 Worldcom, Inc. Service management system blocking
US6516056B1 (en) * 2000-01-07 2003-02-04 Vesta Corporation Fraud prevention system and method
US6519331B1 (en) * 2000-09-01 2003-02-11 Alcatel Telecommunications system, service control point and method for pre-screening telephone calls to help prevent telephone toll fraud
US6531879B1 (en) 1999-10-28 2003-03-11 Tollgrade Communications, Inc. Method and apparatus for delay-line time-domain reflectometry
US6574321B1 (en) 1997-05-08 2003-06-03 Sentry Telecom Systems Inc. Apparatus and method for management of policies on the usage of telecommunications services
US6601048B1 (en) 1997-09-12 2003-07-29 Mci Communications Corporation System and method for detecting and managing fraud
US6801606B1 (en) * 1997-07-22 2004-10-05 Azure Solutions Limited Fraud monitoring system
US20050014491A1 (en) * 1997-03-27 2005-01-20 T-Netix, Inc. Method and apparatus for detecting a secondary destination of a telephone call based on changes in the telephone signal path
US20050160280A1 (en) * 2003-05-15 2005-07-21 Caslin Michael F. Method and system for providing fraud detection for remote access services
US20050185778A1 (en) * 1998-11-17 2005-08-25 Callvision, Inc. System and method for reporting calls
US20050243984A1 (en) * 2003-05-15 2005-11-03 Mahone Saralyn M Method and apparatus for providing fraud detection using hot or cold originating attributes
US20050249341A1 (en) * 2003-05-15 2005-11-10 Mahone Saralyn M Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US20050278550A1 (en) * 2003-05-15 2005-12-15 Mahone Saralyn M Method and system for prioritizing cases for fraud detection
US7023812B1 (en) * 2000-02-15 2006-04-04 Siemens Communications, Inc. System and method for improving modem transmission through private branch exchanges, central offices, and other systems
US20070116214A1 (en) * 2005-11-17 2007-05-24 Kitchin Dwight W Phase change
US20070224997A1 (en) * 2006-03-23 2007-09-27 Lucent Technologies, Inc. Dynamic ring start delay based on multiple factors
US20070242658A1 (en) * 2006-04-13 2007-10-18 Evercom Systems, Inc. Unauthorized call activity detection and prevention systems and methods for a voice over internet protocol environment
WO2010149373A1 (en) 2009-06-25 2010-12-29 Tully Liam Telecommunication fraud prevention system and method
US7899167B1 (en) 2003-08-15 2011-03-01 Securus Technologies, Inc. Centralized call processing
US8000269B1 (en) * 2001-07-13 2011-08-16 Securus Technologies, Inc. Call processing with voice over internet protocol transmission
GB2481466A (en) * 2010-06-21 2011-12-28 Meir S Cohen Call Routing in Telephone Switch Based on Duplicate Leg Detection
US20120284017A1 (en) * 2005-12-23 2012-11-08 At& T Intellectual Property Ii, L.P. Systems, Methods, and Programs for Detecting Unauthorized Use of Text Based Communications
US8340260B1 (en) 2003-08-15 2012-12-25 Securus Technologies, Inc. Inmate management and call processing systems and methods
EP2736237A1 (en) 2012-11-26 2014-05-28 PBXwall Limited Telecommunication fraud prevention system and method
US9270816B2 (en) 2013-10-04 2016-02-23 Tel-Tech Systems, Inc. Redirecting telephone call to packet-switched data call via voicemail
US9560193B1 (en) 2002-04-29 2017-01-31 Securus Technologies, Inc. Systems and methods for detecting a call anomaly using biometric identification
US9674350B2 (en) 2015-04-27 2017-06-06 Pbxwall Ltd. Telecommunication fraud prevention system and method
US9990683B2 (en) 2002-04-29 2018-06-05 Securus Technologies, Inc. Systems and methods for acquiring, accessing, and analyzing investigative information
US10115080B2 (en) 2002-04-29 2018-10-30 Securus Technologies, Inc. System and method for proactively establishing a third-party payment account for services rendered to a resident of a controlled-environment facility
US10397402B1 (en) * 2015-04-21 2019-08-27 Eric Wold Cross-linking call metadata
CN110856115A (en) * 2019-11-28 2020-02-28 北京明略软件系统有限公司 Identification method and identification device for fraud organization offence area and electronic equipment
US10796392B1 (en) 2007-05-22 2020-10-06 Securus Technologies, Llc Systems and methods for facilitating booking, bonding and release

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4001513A (en) * 1975-07-31 1977-01-04 Northern Electric Company Limited Method and apparatus for the detection of fraudulent toll telephone calls
US4002848A (en) * 1974-11-14 1977-01-11 Reliable Electric Company Toll fraud eliminator for telephone systems
US4182934A (en) * 1978-09-26 1980-01-08 Bell Telephone Laboratories, Incorporated Method and apparatus for detecting irregular telephone calls
US4284851A (en) * 1979-06-29 1981-08-18 Bell Telephone Laboratories, Incorporated Arrangement for frustrating fraudulent telephone calls
US4467148A (en) * 1982-02-02 1984-08-21 Network Control Corporation Telephone line analyzer
US4885767A (en) * 1987-09-29 1989-12-05 Therrien John L Blue-box fraud prevention
US5357564A (en) * 1992-08-12 1994-10-18 At&T Bell Laboratories Intelligent call screening in a virtual communications network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4002848A (en) * 1974-11-14 1977-01-11 Reliable Electric Company Toll fraud eliminator for telephone systems
US4001513A (en) * 1975-07-31 1977-01-04 Northern Electric Company Limited Method and apparatus for the detection of fraudulent toll telephone calls
US4182934A (en) * 1978-09-26 1980-01-08 Bell Telephone Laboratories, Incorporated Method and apparatus for detecting irregular telephone calls
US4284851A (en) * 1979-06-29 1981-08-18 Bell Telephone Laboratories, Incorporated Arrangement for frustrating fraudulent telephone calls
US4467148A (en) * 1982-02-02 1984-08-21 Network Control Corporation Telephone line analyzer
US4885767A (en) * 1987-09-29 1989-12-05 Therrien John L Blue-box fraud prevention
US5357564A (en) * 1992-08-12 1994-10-18 At&T Bell Laboratories Intelligent call screening in a virtual communications network

Cited By (88)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7747243B2 (en) 1992-03-24 2010-06-29 Boatwright John T Call security system
US8200190B2 (en) 1992-03-24 2012-06-12 Ac Ip Software Institute Llc Call security system
US20020173292A1 (en) * 1992-03-24 2002-11-21 Atcomm Corporation Call security system
US5668856A (en) * 1994-08-05 1997-09-16 Kokusai Denshin Denwa Kabushiki Kaisha Method and system for screening calls directed to an international telephone operator
US20040111305A1 (en) * 1995-04-21 2004-06-10 Worldcom, Inc. System and method for detecting and managing fraud
US7433855B2 (en) 1995-04-21 2008-10-07 Mci Communications Corporation System and method for detecting and managing fraud
US20090129573A1 (en) * 1995-04-21 2009-05-21 Mci Communications Corporation System and method for detecting and managing fraud
US9390418B2 (en) 1995-04-21 2016-07-12 Verizon Patent And Licensing Inc. System and method for detecting and managing fraud
US5724404A (en) * 1995-07-03 1998-03-03 Garcia; Max Integrated international telephone circuit monitoring system
US5777558A (en) * 1996-02-29 1998-07-07 Motorola, Inc. Method for detecting fraudulent use of a communication system
WO1997032289A1 (en) * 1996-02-29 1997-09-04 Motorola Inc. Method for detecting fraudulent use of a communication system
US6005941A (en) * 1996-05-24 1999-12-21 Oki Electric Method and apparatus for providing optional service functions in a private branch exchange
US5956717A (en) * 1996-10-07 1999-09-21 Kraay; Thomas A. Database origami
US20070242818A1 (en) * 1997-02-24 2007-10-18 Sbc Properties, L.P. System and method for real-time fraud detection within a telecommunication network
US20030228008A1 (en) * 1997-02-24 2003-12-11 Betts Judy Lynn System and method for real-time fraud detection within a telecommunications system
US20080267375A1 (en) * 1997-02-24 2008-10-30 Ameritech Corporation System and method for real-time fraud detection within a telecommunication network
US7058166B2 (en) 1997-02-24 2006-06-06 Sbc Properties, L.P. System and method for real-time fraud detection within a telecommunications system
US6567511B2 (en) 1997-02-24 2003-05-20 Ameritech Corporation System and method for real-time fraud detection within a telecommunications system
US7248681B2 (en) 1997-02-24 2007-07-24 Sbc Properties, L.P. System and method for real-time fraud detection within a telecommunication network
US7406161B2 (en) 1997-02-24 2008-07-29 Sbc Properties, L.P. System and method for real-time fraud detection within a telecommunication network
US7570751B2 (en) 1997-02-24 2009-08-04 At&T Intellectual Property I, L.P. System and method for real-time fraud detection within a telecommunication network
US6327352B1 (en) 1997-02-24 2001-12-04 Ameritech Corporation System and method for real-time fraud detection within a telecommunications system
US6141406A (en) * 1997-03-27 2000-10-31 T-Netix, Inc. Method and apparatus for detecting a secondary destination of a telephone call based on changes in the telephone signal path
US20050014491A1 (en) * 1997-03-27 2005-01-20 T-Netix, Inc. Method and apparatus for detecting a secondary destination of a telephone call based on changes in the telephone signal path
US7136471B2 (en) * 1997-03-27 2006-11-14 T-Netix, Inc. Method and apparatus for detecting a secondary destination of a telephone call based on changes in the telephone signal path
US5949864A (en) * 1997-05-08 1999-09-07 Cox; Neil B. Fraud prevention apparatus and method for performing policing functions for telephone services
US6574321B1 (en) 1997-05-08 2003-06-03 Sentry Telecom Systems Inc. Apparatus and method for management of policies on the usage of telecommunications services
US6801606B1 (en) * 1997-07-22 2004-10-05 Azure Solutions Limited Fraud monitoring system
US20050075992A1 (en) * 1997-09-12 2005-04-07 Mci Worldcom, Inc. System, method and computer program product for processing event records
US6601048B1 (en) 1997-09-12 2003-07-29 Mci Communications Corporation System and method for detecting and managing fraud
US7117191B2 (en) 1997-09-12 2006-10-03 Mci, Inc. System, method and computer program product for processing event records
US6732082B1 (en) * 1997-09-12 2004-05-04 Worldcom, Inc. System, method and computer program product for processing event records
US6163604A (en) * 1998-04-03 2000-12-19 Lucent Technologies Automated fraud management in transaction-based networks
US6157707A (en) * 1998-04-03 2000-12-05 Lucent Technologies Inc. Automated and selective intervention in transaction-based networks
US20020031210A1 (en) * 1998-11-17 2002-03-14 Onelink, Inc. System and method for reporting and delivering calls
US6980631B1 (en) * 1998-11-17 2005-12-27 Callvision, Inc. System and method for reporting calls
US20050185778A1 (en) * 1998-11-17 2005-08-25 Callvision, Inc. System and method for reporting calls
US7065192B2 (en) 1998-11-17 2006-06-20 Callvision, Inc. System and method for reporting calls
US7092502B2 (en) 1998-11-17 2006-08-15 Callvision, Inc. System and method for reporting and delivering calls
US6531879B1 (en) 1999-10-28 2003-03-11 Tollgrade Communications, Inc. Method and apparatus for delay-line time-domain reflectometry
US6516056B1 (en) * 2000-01-07 2003-02-04 Vesta Corporation Fraud prevention system and method
US7023812B1 (en) * 2000-02-15 2006-04-04 Siemens Communications, Inc. System and method for improving modem transmission through private branch exchanges, central offices, and other systems
US6519331B1 (en) * 2000-09-01 2003-02-11 Alcatel Telecommunications system, service control point and method for pre-screening telephone calls to help prevent telephone toll fraud
WO2002100080A1 (en) * 2001-06-06 2002-12-12 Worldcom, Inc. Service management system blocking
US8000269B1 (en) * 2001-07-13 2011-08-16 Securus Technologies, Inc. Call processing with voice over internet protocol transmission
US10115080B2 (en) 2002-04-29 2018-10-30 Securus Technologies, Inc. System and method for proactively establishing a third-party payment account for services rendered to a resident of a controlled-environment facility
US9560193B1 (en) 2002-04-29 2017-01-31 Securus Technologies, Inc. Systems and methods for detecting a call anomaly using biometric identification
US10178224B2 (en) 2002-04-29 2019-01-08 Securus Technologies, Inc. Systems and methods for detecting a call anomaly using biometric identification
US9990683B2 (en) 2002-04-29 2018-06-05 Securus Technologies, Inc. Systems and methods for acquiring, accessing, and analyzing investigative information
US7774842B2 (en) 2003-05-15 2010-08-10 Verizon Business Global Llc Method and system for prioritizing cases for fraud detection
US20050160280A1 (en) * 2003-05-15 2005-07-21 Caslin Michael F. Method and system for providing fraud detection for remote access services
US20100080372A1 (en) * 2003-05-15 2010-04-01 Verizon Patent And Licensing Inc. Method and apparatus for providing fraud detection using hot or cold originating attributes
US20050268113A1 (en) * 2003-05-15 2005-12-01 Mahone Saralyn M Method and apparatus for providing fraud detection using connection frequency thresholds
US8340259B2 (en) 2003-05-15 2012-12-25 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US7783019B2 (en) 2003-05-15 2010-08-24 Verizon Business Global Llc Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US7817791B2 (en) * 2003-05-15 2010-10-19 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US20050278550A1 (en) * 2003-05-15 2005-12-15 Mahone Saralyn M Method and system for prioritizing cases for fraud detection
US20050243984A1 (en) * 2003-05-15 2005-11-03 Mahone Saralyn M Method and apparatus for providing fraud detection using hot or cold originating attributes
US8638916B2 (en) 2003-05-15 2014-01-28 Verizon Business Global Llc Method and apparatus for providing fraud detection using connection frequency and cumulative duration thresholds
US7971237B2 (en) 2003-05-15 2011-06-28 Verizon Business Global Llc Method and system for providing fraud detection for remote access services
US20050249341A1 (en) * 2003-05-15 2005-11-10 Mahone Saralyn M Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US8015414B2 (en) 2003-05-15 2011-09-06 Verizon Business Global Llc Method and apparatus for providing fraud detection using connection frequency thresholds
US20050262563A1 (en) * 2003-05-15 2005-11-24 Mahone Saralyn M Method and apparatus for providing fraud detection using connection frequency and cumulative duration thresholds
US7899167B1 (en) 2003-08-15 2011-03-01 Securus Technologies, Inc. Centralized call processing
US8340260B1 (en) 2003-08-15 2012-12-25 Securus Technologies, Inc. Inmate management and call processing systems and methods
US10740861B1 (en) 2003-11-24 2020-08-11 Securus Technologies, Inc. Systems and methods for acquiring, accessing, and analyzing investigative information
US8135127B2 (en) 2005-11-17 2012-03-13 Securus Technologies, Inc. Method and apparatus for detecting and responding to events occurring on remote telephone
US20070116214A1 (en) * 2005-11-17 2007-05-24 Kitchin Dwight W Phase change
US9173096B2 (en) 2005-12-23 2015-10-27 At&T Intellectual Property Ii, L.P. Systems, methods and programs for detecting unauthorized use of text based communications services
US10097997B2 (en) 2005-12-23 2018-10-09 At&T Intellectual Property Ii, L.P. Systems, methods and programs for detecting unauthorized use of text based communications services
US8548811B2 (en) 2005-12-23 2013-10-01 At&T Intellectual Property Ii, L.P. Systems, methods, and programs for detecting unauthorized use of text based communications services
US8386253B2 (en) * 2005-12-23 2013-02-26 At&T Intellectual Property Ii, L.P. Systems, methods, and programs for detecting unauthorized use of text based communications
US9491179B2 (en) 2005-12-23 2016-11-08 At&T Intellectual Property Ii, L.P. Systems, methods and programs for detecting unauthorized use of text based communications services
US20120284017A1 (en) * 2005-12-23 2012-11-08 At& T Intellectual Property Ii, L.P. Systems, Methods, and Programs for Detecting Unauthorized Use of Text Based Communications
US7542768B2 (en) * 2006-03-23 2009-06-02 Alcatel-Lucent Usa Inc. Dynamic ring start delay based on multiple factors
US20070224997A1 (en) * 2006-03-23 2007-09-27 Lucent Technologies, Inc. Dynamic ring start delay based on multiple factors
US20070242658A1 (en) * 2006-04-13 2007-10-18 Evercom Systems, Inc. Unauthorized call activity detection and prevention systems and methods for a voice over internet protocol environment
US7916845B2 (en) 2006-04-13 2011-03-29 Securus Technologies, Inc. Unauthorized call activity detection and prevention systems and methods for a Voice over Internet Protocol environment
US10796392B1 (en) 2007-05-22 2020-10-06 Securus Technologies, Llc Systems and methods for facilitating booking, bonding and release
WO2010149373A1 (en) 2009-06-25 2010-12-29 Tully Liam Telecommunication fraud prevention system and method
AU2010257236B2 (en) * 2010-06-21 2013-11-28 Teltech Systems, Inc. Call Routing in Telephone Switch Based on Duplicate Leg Detection
US8369508B2 (en) 2010-06-21 2013-02-05 Tel-Tech Systems, Inc. Call routing in telephone switch based on duplicate leg detection
GB2481466A (en) * 2010-06-21 2011-12-28 Meir S Cohen Call Routing in Telephone Switch Based on Duplicate Leg Detection
EP2736237A1 (en) 2012-11-26 2014-05-28 PBXwall Limited Telecommunication fraud prevention system and method
US9270816B2 (en) 2013-10-04 2016-02-23 Tel-Tech Systems, Inc. Redirecting telephone call to packet-switched data call via voicemail
US10397402B1 (en) * 2015-04-21 2019-08-27 Eric Wold Cross-linking call metadata
US9674350B2 (en) 2015-04-27 2017-06-06 Pbxwall Ltd. Telecommunication fraud prevention system and method
CN110856115A (en) * 2019-11-28 2020-02-28 北京明略软件系统有限公司 Identification method and identification device for fraud organization offence area and electronic equipment

Similar Documents

Publication Publication Date Title
US5504810A (en) Telecommunications fraud detection scheme
EP0618713B1 (en) Real-time fraud monitoring system in a telecommunication network
US5335265A (en) Apparatus for detecting and preventing subscriber number cloning in a cellular mobile telephone system
US6078647A (en) Method and apparatus for detecting a data service provider in a public switched telephone network
CA2138420A1 (en) Security system for terminating fraudulent telephone calls
US20120099711A1 (en) Telecommunication fraud prevention system and method
US6418212B1 (en) Telephone fraud detection and prevention
US6556669B2 (en) International origination to domestic termination call blocking
US4182934A (en) Method and apparatus for detecting irregular telephone calls
CA2461306A1 (en) Method and system for using bad billed number records to prevent fraud in a telecommunications system
US6404871B1 (en) Termination number screening
MXPA02005701A (en) Session initiation protocol servlet application programming interface.
US7945037B1 (en) System and method for remote call forward detection using signaling
CA2229015C (en) Inhibiting completion of defrauding calls
KR20120010372A (en) Auto detecting system and method for illegal call
US6169724B1 (en) Egress network service monitor
US20020186825A1 (en) Service management system blocking
MXPA02005970A (en) Country to country call intercept process (cip).
AU2003204506B2 (en) Monitoring a communication network
CA2278794A1 (en) Telephone callback detector
WO1999005847A1 (en) Monitoring a communication network
IE20100402U1 (en) Telecommunication fraud prevention system and method

Legal Events

Date Code Title Description
AS Assignment

Owner name: AMERICAN TELEPHONE AND TELEGRAPH COMPANY, NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCNAIR, BRUCE E.;REEL/FRAME:006717/0507

Effective date: 19930921

AS Assignment

Owner name: AT&T IPM CORP., FLORIDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AT&T CORP.;REEL/FRAME:007528/0038

Effective date: 19950523

Owner name: AT&T CORP., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AMERICAN TELELPHONE AND TELEGRAPH COMPANY;REEL/FRAME:007527/0274

Effective date: 19940420

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

FEPP Fee payment procedure

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 12

AS Assignment

Owner name: CREDIT SUISSE AG, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:ALCATEL-LUCENT USA INC.;REEL/FRAME:030510/0627

Effective date: 20130130

AS Assignment

Owner name: ALCATEL-LUCENT USA INC., NEW JERSEY

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:033950/0261

Effective date: 20140819